.\" generated with Ronn/v0.7.3
.\" http://github.com/rtomayko/ronn/tree/0.7.3
.
.TH "PUPPET\-CA" "8" "May 2015" "Puppet Labs, LLC" "Puppet manual"
.
.SH "NAME"
\fBpuppet\-ca\fR \- Local Puppet Certificate Authority management\.
.
.SH "SYNOPSIS"
puppet ca \fIaction\fR
.
.SH "DESCRIPTION"
This provides local management of the Puppet Certificate Authority\.
.
.P
You can use this subcommand to sign outstanding certificate requests, list and manage local certificates, and inspect the state of the CA\.
.
.SH "OPTIONS"
Note that any setting that\'s valid in the configuration file is also a valid long argument, although it may or may not be relevant to the present action\. For example, \fBserver\fR and \fBrun_mode\fR are valid settings, so you can specify \fB\-\-server <servername>\fR, or \fB\-\-run_mode <runmode>\fR as an argument\.
.
.P
See the configuration file documentation at \fIhttp://docs\.puppetlabs\.com/references/stable/configuration\.html\fR for the full list of acceptable parameters\. A commented list of all configuration options can also be generated by running puppet with \fB\-\-genconfig\fR\.
.
.TP
\-\-render\-as FORMAT
The format in which to render output\. The most common formats are \fBjson\fR, \fBs\fR (string), \fByaml\fR, and \fBconsole\fR, but other options such as \fBdot\fR are sometimes available\.
.
.TP
\-\-verbose
Whether to log verbosely\.
.
.TP
\-\-debug
Whether to log debug information\.
.
.SH "ACTIONS"
.
.TP
\fBdestroy\fR \- Destroy named certificate or pending certificate request\.
\fBSYNOPSIS\fR
.
.IP
puppet ca destroy
.
.IP
\fBDESCRIPTION\fR
.
.IP
Destroy named certificate or pending certificate request\.
.
.TP
\fBfingerprint\fR \- Print the DIGEST (defaults to the signing algorithm) fingerprint of a host\'s certificate\.
\fBSYNOPSIS\fR
.
.IP
puppet ca fingerprint [\-\-digest ALGORITHM]
.
.IP
\fBDESCRIPTION\fR
.
.IP
Print the DIGEST (defaults to the signing algorithm) fingerprint of a host\'s certificate\.
.
.IP
\fBOPTIONS\fR \fI\-\-digest ALGORITHM\fR \- The hash algorithm to use when displaying the fingerprint
.
.TP
\fBgenerate\fR \- Generate a certificate for a named client\.
\fBSYNOPSIS\fR
.
.IP
puppet ca generate [\-\-dns\-alt\-names NAMES]
.
.IP
\fBDESCRIPTION\fR
.
.IP
Generate a certificate for a named client\.
.
.IP
\fBOPTIONS\fR \fI\-\-dns\-alt\-names NAMES\fR \- The comma\-separated list of alternative DNS names to use for the local host\.
.
.IP
When the node generates a CSR for itself, these are added to the request as the desired \fBsubjectAltName\fR in the certificate: additional DNS labels that the certificate is also valid answering as\.
.
.IP
This is generally required if you use a non\-hostname \fBcertname\fR, or if you want to use \fBpuppet kick\fR or \fBpuppet resource \-H\fR and the primary certname does not match the DNS name you use to communicate with the host\.
.
.IP
This is unnecessary for agents, unless you intend to use them as a server for \fBpuppet kick\fR or remote \fBpuppet resource\fR management\.
.
.IP
It is rarely necessary for servers; it is usually helpful only if you need to have a pool of multiple load balanced masters, or for the same master to respond on two physically separate networks under different names\.
.
.TP
\fBlist\fR \- List certificates and/or certificate requests\.
\fBSYNOPSIS\fR
.
.IP
puppet ca list [\-\-[no\-]all] [\-\-[no\-]pending] [\-\-[no\-]signed] [\-\-digest ALGORITHM] [\-\-subject PATTERN]
.
.IP
\fBDESCRIPTION\fR
.
.IP
This will list the current certificates and certificate signing requests in the Puppet CA\. You will also get the fingerprint, and any certificate verification failure reported\.
.
.IP
\fBOPTIONS\fR \fI\-\-[no\-]all\fR \- Include all certificates and requests\.
.
.IP
\fI\-\-digest ALGORITHM\fR \- The hash algorithm to use when displaying the fingerprint
.
.IP
\fI\-\-[no\-]pending\fR \- Include pending certificate signing requests\.
.
.IP
\fI\-\-[no\-]signed\fR \- Include signed certificates\.
.
.IP
\fI\-\-subject PATTERN\fR \- Only include certificates or requests where subject matches PATTERN\.
.
.IP
PATTERN is interpreted as a regular expression, allowing complex filtering of the content\.
.
.TP
\fBprint\fR \- Print the full\-text version of a host\'s certificate\.
\fBSYNOPSIS\fR
.
.IP
puppet ca print
.
.IP
\fBDESCRIPTION\fR
.
.IP
Print the full\-text version of a host\'s certificate\.
.
.TP
\fBrevoke\fR \- Add certificate to certificate revocation list\.
\fBSYNOPSIS\fR
.
.IP
puppet ca revoke
.
.IP
\fBDESCRIPTION\fR
.
.IP
Add certificate to certificate revocation list\.
.
.TP
\fBsign\fR \- Sign an outstanding certificate request\.
\fBSYNOPSIS\fR
.
.IP
puppet ca sign [\-\-[no\-]allow\-dns\-alt\-names]
.
.IP
\fBDESCRIPTION\fR
.
.IP
Sign an outstanding certificate request\.
.
.IP
\fBOPTIONS\fR \fI\-\-[no\-]allow\-dns\-alt\-names\fR \- Whether or not to accept DNS alt names in the certificate request
.
.TP
\fBverify\fR \- Verify the named certificate against the local CA certificate\.
\fBSYNOPSIS\fR
.
.IP
puppet ca verify
.
.IP
\fBDESCRIPTION\fR
.
.IP
Verify the named certificate against the local CA certificate\.
.
.SH "COPYRIGHT AND LICENSE"
Copyright 2011 by Puppet Labs Apache 2 license; see COPYING
